@coana-tech/cli 14.11.7 → 14.11.9

package/cli.mjs

@@ -209443,7 +209443,7 @@ function shouldIgnoreDir(dir) {
   return dirsToIgnore.includes(dir);
 }
 function shouldIgnoreDueToExcludeDirsOrChangedFiles({ mainProjectDir, excludeDirs, changedFiles }, fullPath) {
-  const relativeToProjectDir = relative9(mainProjectDir, fullPath);
+  const relativeToProjectDir = relative9(mainProjectDir, fullPath) || ".";
   return !!(isMatch3(relativeToProjectDir, excludeDirs) || changedFiles && !changedFiles.some((changedFile) => changedFile.startsWith(relativeToProjectDir)));
 }
 
@@ -210096,7 +210096,7 @@ function inferWorkspaceFromManifestPath(ecosystem, manifestPath, properPythonPro
       return dirname8(manifestPath) || ".";
     }
     default: {
-      return void 0;
+      return ".";
     }
   }
 }
@@ -210384,6 +210384,8 @@ function toSocketReachabilitySchema(vulnerability) {
     return { type: "error", error: vulnerability.codeAwareScanResult.message };
   }
   if (vulnerability.codeAwareScanResult.type === "otherError") {
+    if (vulnerability.codeAwareScanResult.message.includes("Reachability analysis for languages using"))
+      return { type: "unknown" };
     return { type: "error", error: vulnerability.codeAwareScanResult.message };
   }
   if (vulnerability.codeAwareScanResult.type === "success") {
@@ -225338,7 +225340,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version2 = "14.11.7";
+var version2 = "14.11.9";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pick } = import_lodash15.default;
@@ -225423,9 +225425,18 @@ var CliCore = class {
     if (this.options.ecosystems)
       this.options.ecosystems.forEach((ecosystem) => {
         if (!ECOSYSTEMS_WITH_TRADITIONAL_SCA_SUPPORT.includes(ecosystem)) {
-          throw new Error(`Invalid ecosystem: ${ecosystem}.`);
+          throw new Error(`Invalid ecosystem: ${ecosystem}. Supported ecosystems are: ${ECOSYSTEMS_WITH_TRADITIONAL_SCA_SUPPORT.join(", ")}`);
         }
       });
+    if (this.options.purlTypes) {
+      this.options.purlTypes.forEach((purlType) => {
+        try {
+          getAdvisoryEcosystemFromPurlType(purlType);
+        } catch (e) {
+          throw new Error(`Invalid purl type: ${purlType}. Supported purl types are: ${ECOSYSTEMS_WITH_TRADITIONAL_SCA_SUPPORT.map((ecosystem) => getPurlType(ecosystem)).join(", ")}`);
+        }
+      });
+    }
     if (this.options.manifestsTarHash && !this.options.socketMode) {
       throw new Error("The --manifests-tar-hash option is only supported when using --socket-mode");
     }
@@ -225494,6 +225505,10 @@ var CliCore = class {
     const vulnsWithResults = [];
     for (const [ecosystem, workspaceToAnalysisData] of Object.entries(ecosystemToWorkspaceToAnalysisData)) {
       this.sendProgress("RUN_ON_SUBPROJECT", true, this.rootWorkingDirectory);
+      const isEcosystemToAnalyze = !this.options.purlTypes || this.options.purlTypes.some((purlType) => getAdvisoryEcosystemFromPurlType(purlType) === ecosystem);
+      if (!isEcosystemToAnalyze) {
+        logger.info(`Skipping reachability analysis for ecosystem ${getPurlType(ecosystem)} due to it not being included in the list of ecosystems to analyze.`);
+      }
       vulnsWithResults.push(...Object.values(await this.runReachabilityAnalysisForWorkspaces(
         workspaceToAnalysisData,
         ecosystemToWorkspaceToVulnerabilities[ecosystem] ?? {},
@@ -225502,7 +225517,7 @@ var CliCore = class {
         otherModulesCommunicator,
         this.rootWorkingDirectory,
         ecosystem,
-        true
+        ["NPM", "PIP"].includes(ecosystem) && isEcosystemToAnalyze
       )).flat());
       this.sendProgress("RUN_ON_SUBPROJECT", false, this.rootWorkingDirectory);
     }
@@ -225760,10 +225775,10 @@ Subproject: ${subproject}`);
   }
   async runReachabilityAnalysisForWorkspaces(workspacePathToDataForAnalysis, workspaceToVulnerabilities, workspaceToDirectDependencies, otherModulesCommunicator, subprojectPath, ecosystem, reachabilitySupported) {
     const workspaceToAugmentedVulnerabilities = Object.fromEntries(await asyncMap(Object.keys(workspacePathToDataForAnalysis), async (workspacePath) => {
+      const vulnerabilities = workspaceToVulnerabilities[workspacePath];
       try {
         const dataForAnalysis = workspacePathToDataForAnalysis[workspacePath];
-        const vulnerabilities = workspaceToVulnerabilities[workspacePath];
-        const augmentedVulnerabilities = reachabilitySupported ? await this.runReachabilityAnalysis(otherModulesCommunicator, subprojectPath, workspacePath, dataForAnalysis, ecosystem, vulnerabilities) : vulnerabilities.map((v) => ({
+        const augmentedVulnerabilities = reachabilitySupported && !this.shouldExcludeAnalyzingWorkspace(subprojectPath, workspacePath) ? await this.runReachabilityAnalysis(otherModulesCommunicator, subprojectPath, workspacePath, dataForAnalysis, ecosystem, vulnerabilities) : vulnerabilities.map((v) => ({
           ...v,
           results: {
             type: "otherError",
@@ -225773,17 +225788,16 @@ Subproject: ${subproject}`);
         return [workspacePath, augmentedVulnerabilities];
       } catch (e) {
         logger.error(`Reachability analysis failed for workspace ${workspacePath} in subproject ${subprojectPath}: ${e.message}`);
-        if (this.options.ignoreFailingWorkspaces) {
-          const relativeSubprojectPath = relative11(this.rootWorkingDirectory, subprojectPath) || ".";
-          this.failedWorkspaces.push({
-            subproject: relativeSubprojectPath,
-            workspace: workspacePath,
-            error: e.message || "Unknown error",
-            phase: "reachability-analysis"
-          });
-          return [workspacePath, void 0];
-        }
-        throw e;
+        return [
+          workspacePath,
+          vulnerabilities.map((v) => ({
+            ...v,
+            results: {
+              type: "otherError",
+              message: e.message || "Unknown error"
+            }
+          }))
+        ];
       }
     }));
     const successfulWorkspaceToAugmentedVulnerabilities = Object.fromEntries(Object.entries(workspaceToAugmentedVulnerabilities).filter(([_, vulns]) => vulns !== void 0));
@@ -225838,6 +225852,18 @@ Subproject: ${subproject}`);
       }
     }
   }
+  shouldExcludeAnalyzingWorkspace(subprojectPath, workspacePath) {
+    const shouldExcludeWorkspaceForAnalysis = shouldIgnoreDueToExcludeDirsOrChangedFiles({
+      mainProjectDir: this.rootWorkingDirectory,
+      excludeDirs: this.options.excludeDirs ?? [],
+      changedFiles: this.options.changedFiles,
+      includeDirs: this.options.includeDirs ?? []
+    }, resolve25(subprojectPath, workspacePath));
+    if (shouldExcludeWorkspaceForAnalysis) {
+      logger.info(`Skipping reachability analysis for workspace ${workspacePath} due to it being excluded.`);
+    }
+    return shouldExcludeWorkspaceForAnalysis;
+  }
   async runReachabilityAnalysis(otherModulesCommunicator, subprojectPath, workspacePath, workspaceData, ecosystem, vulnerabilities) {
     const [vulnsWithActualAPIPatterns, result] = partition(vulnerabilities, (v) => Array.isArray(v.vulnerabilityAccessPaths));
     for (const v of result)
@@ -226255,9 +226281,10 @@ function computeSBOMTaskArtifacts(dependencyTrees) {
 // dist/index.js
 var program2 = new Command();
 var run2 = new Command();
-run2.name("run").argument("<path>", "File system path to folder containing the project").option("-o, --output-dir <path>", "Write json report to <path>/coana-report.json").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("-p, --print-report", "Print the report to the console", false).option("--offline-database <path>", "Path to a coana-offline-db.json file for running the CLI without internet connectivity", void 0).option("-t, --timeout <timeout>", "Set API <timeout> in milliseconds to Coana backend.", "300000").option("-a, --analysis-timeout <timeout>", "Set <timeout> in seconds for each reachability analysis run").option("--memory-limit <memoryInMB>", "Set memory limit for analysis to <memoryInMB> megabytes of memory.", "8192").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available.", "1").option("--api-key <key>", "Set the Coana dashboard API key. By setting you also enable the dashboard integration.").addOption(new Option("--write-report-to-file", "Write the report dashboard-compatible report to dashboard-report.json. This report may help the Coana team debug issues with the report insertion mechanism.").default(false).hideHelp()).option("--project-name <repoName>", "Set the name of the repository. Used for dashboard integration.").option("--repo-url <repoUrl>", "Set the URL of the repository. Used for dashboard integration.").option("--include-dirs <relativeDirs...>", "globs for directories to include from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, projects that are not included may still be scanned if they are referenced from included projects.").option("--exclude-dirs <relativeDirs...>", "globs for directories to exclude from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, excluded projects may still be scanned if they are referenced from non-excluded projects.").option("--disable-analysis-splitting", "Limits Coana to at most 1 reachability analysis run per workspace").option("--print-analysis-log-file", "Store log output from the JavaScript/TypeScript reachability analysis in the file js-analysis.log file in the root of each workspace", false).option("--entry-points <entryPoints...>", "List of files to analyze for root workspace. The reachability analysis automatically analyzes all files used by the entry points. If not provided, all JavaScript and TypeScript files are considered entry points. For non-root workspaces, all JavaScript and TypeScript files are analyzed as well.").option("--include-projects-with-no-reachability-support", "Also runs Coana on projects where we support traditional SCA, but does not yet support reachability analysis.", false).option("--ecosystems <ecosystems...>", "List of ecosystems to analyze (space-separated). Currently NPM, PIP, MAVEN, NUGET and GO are supported. Default is all supported ecosystems.").option("--changed-files <files...>", "List of files that have changed. If provided, Coana only analyzes workspaces and modules that contain changed files.").option("--disable-report-submission", "Disable the submission of the report to the Coana dashboard. Used by the pipeline blocking feature.", false).option("--disable-analytics-sharing", "Disable analytics sharing.", false).option("--provider-project <path>", "File system path to folder containing the provider project (Only supported for Maven, Gradle, and SBT)").option("--provider-workspaces <dirs...>", "List of workspaces that build the provided runtime environment (Only supported for Maven, Gradle, and SBT)", (paths) => paths.split(" ")).option("--lightweight-reachability", "Runs Coana in lightweight mode. This increases analysis speed but also raises the risk of Coana misclassifying the reachability of certain complex vulnerabilities. Recommended only for use with Coana Guardrail mode.", false).addOption(new Option("--run-without-docker", "Run package managers and reachability analyzers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--run-env <env>", "Specifies the environment in which the CLI is run. So far only MANAGED_SCAN and UNKNOWN are supported.").default("UNKNOWN").choices(["UNKNOWN", "MANAGED_SCAN"]).hideHelp()).addOption(new Option("--guardrail-mode", "Run Coana in guardrail mode. This mode is used to prevent new reachable vulnerabilities from being introduced into the codebase. Usually run as a CI check when pushing new commits to a pull request.")).option("--ignore-failing-workspaces", "Continue processing when a workspace fails instead of exiting. Failed workspaces will be logged at termination.", false).addOption(new Option("--socket-mode <output-file>", "Run Coana in socket mode and write report to <output-file>").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).version(version2).configureHelp({ sortOptions: true }).action(async (path2, options) => {
+run2.name("run").argument("<path>", "File system path to folder containing the project").option("-o, --output-dir <path>", "Write json report to <path>/coana-report.json").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("-p, --print-report", "Print the report to the console", false).option("--offline-database <path>", "Path to a coana-offline-db.json file for running the CLI without internet connectivity", void 0).option("-t, --timeout <timeout>", "Set API <timeout> in milliseconds to Coana backend.", "300000").option("-a, --analysis-timeout <timeout>", "Set <timeout> in seconds for each reachability analysis run").option("--memory-limit <memoryInMB>", "Set memory limit for analysis to <memoryInMB> megabytes of memory.", "8192").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available.", "1").option("--api-key <key>", "Set the Coana dashboard API key. By setting you also enable the dashboard integration.").addOption(new Option("--write-report-to-file", "Write the report dashboard-compatible report to dashboard-report.json. This report may help the Coana team debug issues with the report insertion mechanism.").default(false).hideHelp()).option("--project-name <repoName>", "Set the name of the repository. Used for dashboard integration.").option("--repo-url <repoUrl>", "Set the URL of the repository. Used for dashboard integration.").option("--include-dirs <relativeDirs...>", "globs for directories to include from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, projects that are not included may still be scanned if they are referenced from included projects.").option("--exclude-dirs <relativeDirs...>", "globs for directories to exclude from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, excluded projects may still be scanned if they are referenced from non-excluded projects.").option("--disable-analysis-splitting", "Limits Coana to at most 1 reachability analysis run per workspace").option("--print-analysis-log-file", "Store log output from the JavaScript/TypeScript reachability analysis in the file js-analysis.log file in the root of each workspace", false).option("--entry-points <entryPoints...>", "List of files to analyze for root workspace. The reachability analysis automatically analyzes all files used by the entry points. If not provided, all JavaScript and TypeScript files are considered entry points. For non-root workspaces, all JavaScript and TypeScript files are analyzed as well.").option("--include-projects-with-no-reachability-support", "Also runs Coana on projects where we support traditional SCA, but does not yet support reachability analysis.", false).option("--ecosystems <ecosystems...>", "List of ecosystems to analyze (space-separated). Currently NPM, PIP, MAVEN, NUGET and GO are supported. Default is all supported ecosystems.").addOption(new Option("--purl-types <purlTypes...>", "List of PURL types to analyze (space-separated). Currently npm, pypi, maven, nuget, golang and cargo are supported. Default is all supported purl types.").hideHelp()).option("--changed-files <files...>", "List of files that have changed. If provided, Coana only analyzes workspaces and modules that contain changed files.").option("--disable-report-submission", "Disable the submission of the report to the Coana dashboard. Used by the pipeline blocking feature.", false).option("--disable-analytics-sharing", "Disable analytics sharing.", false).option("--provider-project <path>", "File system path to folder containing the provider project (Only supported for Maven, Gradle, and SBT)").option("--provider-workspaces <dirs...>", "List of workspaces that build the provided runtime environment (Only supported for Maven, Gradle, and SBT)", (paths) => paths.split(" ")).option("--lightweight-reachability", "Runs Coana in lightweight mode. This increases analysis speed but also raises the risk of Coana misclassifying the reachability of certain complex vulnerabilities. Recommended only for use with Coana Guardrail mode.", false).addOption(new Option("--run-without-docker", "Run package managers and reachability analyzers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--run-env <env>", "Specifies the environment in which the CLI is run. So far only MANAGED_SCAN and UNKNOWN are supported.").default("UNKNOWN").choices(["UNKNOWN", "MANAGED_SCAN"]).hideHelp()).addOption(new Option("--guardrail-mode", "Run Coana in guardrail mode. This mode is used to prevent new reachable vulnerabilities from being introduced into the codebase. Usually run as a CI check when pushing new commits to a pull request.")).option("--ignore-failing-workspaces", "Continue processing when a workspace fails instead of exiting. Failed workspaces will be logged at termination.", false).addOption(new Option("--socket-mode <output-file>", "Run Coana in socket mode and write report to <output-file>").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).version(version2).configureHelp({ sortOptions: true }).action(async (path2, options) => {
   process.env.DOCKER_IMAGE_TAG ??= version2;
   options.ecosystems = options.ecosystems?.map((e) => e.toUpperCase());
+  options.purlTypes = options.purlTypes?.map((e) => e.toLowerCase());
   await new CliCore(path2, options).main();
 });
 var applyFixes = new Command();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.11.7",
+  "version": "14.11.9",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -64950,7 +64950,7 @@ var require_comparator = __commonJS({
 var require_satisfies = __commonJS({
   "../../node_modules/.pnpm/semver@7.7.1/node_modules/semver/functions/satisfies.js"(exports, module) {
     var Range = require_range2();
-    var satisfies2 = (version3, range, options) => {
+    var satisfies3 = (version3, range, options) => {
       try {
         range = new Range(range, options);
       } catch (er) {
@@ -64958,7 +64958,7 @@ var require_satisfies = __commonJS({
       }
       return range.test(version3);
     };
-    module.exports = satisfies2;
+    module.exports = satisfies3;
   }
 });
 
@@ -65107,7 +65107,7 @@ var require_outside = __commonJS({
     var Comparator = require_comparator();
     var { ANY } = Comparator;
     var Range = require_range2();
-    var satisfies2 = require_satisfies();
+    var satisfies3 = require_satisfies();
     var gt = require_gt();
     var lt2 = require_lt();
     var lte = require_lte();
@@ -65134,7 +65134,7 @@ var require_outside = __commonJS({
         default:
           throw new TypeError('Must provide a hilo val of "<" or ">"');
       }
-      if (satisfies2(version3, range, options)) {
+      if (satisfies3(version3, range, options)) {
         return false;
       }
       for (let i2 = 0; i2 < range.set.length; ++i2) {
@@ -65202,7 +65202,7 @@ var require_intersects = __commonJS({
 // ../../node_modules/.pnpm/semver@7.7.1/node_modules/semver/ranges/simplify.js
 var require_simplify = __commonJS({
   "../../node_modules/.pnpm/semver@7.7.1/node_modules/semver/ranges/simplify.js"(exports, module) {
-    var satisfies2 = require_satisfies();
+    var satisfies3 = require_satisfies();
     var compare = require_compare();
     module.exports = (versions, range, options) => {
       const set = [];
@@ -65210,7 +65210,7 @@ var require_simplify = __commonJS({
       let prev2 = null;
       const v = versions.sort((a2, b) => compare(a2, b, options));
       for (const version3 of v) {
-        const included = satisfies2(version3, range, options);
+        const included = satisfies3(version3, range, options);
         if (included) {
           prev2 = version3;
           if (!first2) {
@@ -65254,7 +65254,7 @@ var require_subset = __commonJS({
     var Range = require_range2();
     var Comparator = require_comparator();
     var { ANY } = Comparator;
-    var satisfies2 = require_satisfies();
+    var satisfies3 = require_satisfies();
     var compare = require_compare();
     var subset = (sub, dom, options = {}) => {
       if (sub === dom) {
@@ -65323,14 +65323,14 @@ var require_subset = __commonJS({
         }
       }
       for (const eq2 of eqSet) {
-        if (gt && !satisfies2(eq2, String(gt), options)) {
+        if (gt && !satisfies3(eq2, String(gt), options)) {
           return null;
         }
-        if (lt2 && !satisfies2(eq2, String(lt2), options)) {
+        if (lt2 && !satisfies3(eq2, String(lt2), options)) {
           return null;
         }
         for (const c of dom) {
-          if (!satisfies2(eq2, String(c), options)) {
+          if (!satisfies3(eq2, String(c), options)) {
             return false;
           }
         }
@@ -65357,7 +65357,7 @@ var require_subset = __commonJS({
             if (higher === c && higher !== gt) {
               return false;
             }
-          } else if (gt.operator === ">=" && !satisfies2(gt.semver, String(c), options)) {
+          } else if (gt.operator === ">=" && !satisfies3(gt.semver, String(c), options)) {
             return false;
           }
         }
@@ -65372,7 +65372,7 @@ var require_subset = __commonJS({
             if (lower === c && lower !== lt2) {
               return false;
             }
-          } else if (lt2.operator === "<=" && !satisfies2(lt2.semver, String(c), options)) {
+          } else if (lt2.operator === "<=" && !satisfies3(lt2.semver, String(c), options)) {
             return false;
           }
         }
@@ -65441,7 +65441,7 @@ var require_semver2 = __commonJS({
     var coerce = require_coerce();
     var Comparator = require_comparator();
     var Range = require_range2();
-    var satisfies2 = require_satisfies();
+    var satisfies3 = require_satisfies();
     var toComparators = require_to_comparators();
     var maxSatisfying = require_max_satisfying();
     var minSatisfying = require_min_satisfying();
@@ -65479,7 +65479,7 @@ var require_semver2 = __commonJS({
       coerce,
       Comparator,
       Range,
-      satisfies: satisfies2,
+      satisfies: satisfies3,
       toComparators,
       maxSatisfying,
       minSatisfying,
@@ -73697,7 +73697,7 @@ ${error.message}`);
 
 // dist/whole-program-code-aware-vulnerability-scanner/analyze-in-buckets.js
 var import_lodash17 = __toESM(require_lodash(), 1);
-var import_semver2 = __toESM(require_semver2(), 1);
+var import_semver3 = __toESM(require_semver2(), 1);
 import assert8 from "assert";
 import { relative as relative5 } from "path";
 
@@ -96268,6 +96268,7 @@ async function getVersion(analysisName) {
 }
 
 // dist/whole-program-code-aware-vulnerability-scanner/python/python-code-aware-vulnerability-scanner.js
+var import_semver2 = __toESM(require_semver2(), 1);
 var { omit, once: once3, pick, sortedUniq, uniqBy } = import_lodash14.default;
 var PythonCodeAwareVulnerabilityScanner = class _PythonCodeAwareVulnerabilityScanner {
   state;
@@ -96276,6 +96277,7 @@ var PythonCodeAwareVulnerabilityScanner = class _PythonCodeAwareVulnerabilitySca
   numberAnalysesRun = 0;
   virtualEnvInfo;
   vm;
+  mambaladeVenvPath;
   constructor(state, projectDir, _statusUpdater) {
     this.state = state;
     this.projectDir = projectDir;
@@ -96293,6 +96295,9 @@ var PythonCodeAwareVulnerabilityScanner = class _PythonCodeAwareVulnerabilitySca
   async runAnalysis(vulns, heuristic, analyzesAllVulns) {
     if (!this.virtualEnvInfo)
       throw new Error("Virtual environment not set up");
+    if (!this.mambaladeVenvPath) {
+      await this.setupMambalade();
+    }
     logger.info("Started instantiating Python code-aware analysis");
     logger.debug(`Trying to find files to analyze from projectDir: ${this.projectDir}`);
     const { rootWorkingDir, reachabilityAnalysisOptions } = this.state;
@@ -96326,7 +96331,7 @@ runpy.run_module("mambalade", alter_sys=True)
     const excludeDistributionsOption = packagesToExclude?.size ? ["--exclude-distributions", ...packagesToExclude] : [];
     const timeout = reachabilityAnalysisOptions.timeoutInSeconds ?? // 10 minutes for the first analysis, 1 minute for subsequent analyses
     (analyzesAllVulns ? 60 * 10 : 60);
-    const pythonExecutable = resolve12(COANA_REPOS_PATH(), "mambalade", ".venv", "bin", "python");
+    const pythonExecutable = join15(this.mambaladeVenvPath, "bin", "python");
     const mambaladeArgs = [
       pythonExecutable,
       wrapperPath,
@@ -96603,12 +96608,34 @@ ${msg}`;
   getVirtualEnvInfo() {
     return this.virtualEnvInfo;
   }
+  async setupMambalade() {
+    const venvDir = await createTmpDirectory("mambalade-venv");
+    logger.info("Creating Mambalade virtual environment");
+    const pythonInterpreter = await getPythonInterpreter();
+    await exec(cmdt`${pythonInterpreter} -SIm venv ${venvDir}`);
+    const mambaladeWheelsPath = join15(COANA_REPOS_PATH(), "mambalade", "dist");
+    const wheelFiles = await readdir3(mambaladeWheelsPath);
+    const mambaladeWheels = wheelFiles.filter((f2) => f2.endsWith(".whl")).map((f2) => join15(mambaladeWheelsPath, f2));
+    if (mambaladeWheels.length === 0) {
+      throw new Error(`No mambalade wheel files found in ${mambaladeWheelsPath}`);
+    }
+    logger.info(`Installing mambalade wheels: ${mambaladeWheels.join(", ")}`);
+    await exec(cmdt`${venvDir}/bin/pip install --no-deps ${mambaladeWheels}`);
+    this.mambaladeVenvPath = venvDir;
+    logger.info("Mambalade virtual environment setup complete");
+  }
   // async [Symbol.asyncDispose]() {
   async cleanup() {
     if (this.virtualEnvInfo?.temporary) {
-      await rm5(this.virtualEnvInfo.virtualEnvFolder, { recursive: true, force: true });
+      await rm5(this.virtualEnvInfo.virtualEnvFolder, { recursive: true, force: true }).catch(() => {
+      });
       this.virtualEnvInfo = void 0;
     }
+    if (this.mambaladeVenvPath) {
+      await rm5(this.mambaladeVenvPath, { recursive: true, force: true }).catch(() => {
+      });
+      this.mambaladeVenvPath = void 0;
+    }
   }
 };
 async function findFilesToAnalyze(projectDir) {
@@ -96647,6 +96674,16 @@ function transformSourceLocations2(appPath, fileMappings, detectedOccurrences) {
     }
   return detectedOccurrences;
 }
+async function getPythonInterpreter() {
+  const pythonVersionRequired = ">=3.11.0";
+  const pypyVersion = await getPythonVersion("pypy3").catch(() => void 0);
+  if (pypyVersion && (0, import_semver2.satisfies)(pypyVersion, pythonVersionRequired))
+    return "pypy3";
+  const pythonVersion = await getPythonVersion("python3").catch(() => void 0);
+  if (pythonVersion && (0, import_semver2.satisfies)(pythonVersion, pythonVersionRequired))
+    return "python3";
+  throw new Error(`No Python ${pythonVersionRequired} interpreter found`);
+}
 
 // dist/whole-program-code-aware-vulnerability-scanner/python/phantom-deps.js
 var { uniq: uniq8 } = import_lodash15.default;
@@ -96890,7 +96927,7 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
     if (bucketsFromLastAnalysis.some((b) => b.heuristicName === heuristics.IGNORE_DEPENDENCIES_AND_MAX_ROUNDS_3.name))
       return;
     try {
-      if ((0, import_semver2.lt)(cliVersion, CLI_VERSION_TO_USE_CACHING_FROM[ecosystem] ?? CLI_VERSION_TO_USE_CACHING_FROM_DEFAULT))
+      if ((0, import_semver3.lt)(cliVersion, CLI_VERSION_TO_USE_CACHING_FROM[ecosystem] ?? CLI_VERSION_TO_USE_CACHING_FROM_DEFAULT))
         return void 0;
     } catch (e) {
       return void 0;